GitBit
First lessonBlog
Sign Up

Reserved for ads. Please scroll down.

9 Conditional Access Policies You'll Kick Yourself for Not Setting Up

A conditional access policy is a set of rules and conditions that determine whether a user is granted access to a specific resource or system. These policies are typically used to secure corporate data and applications and can include factors such as the device being used, the location of the user, and the level of risk associated with the request for access. The policy can be implemented using various technologies, such as multi-factor authentication, device management, and identity management systems.

Conditional access policies are an important part of a comprehensive security strategy for organizations. These policies are used to control access to resources based on a set of predefined conditions, such as the location of the user, the device they are using, or the level of risk associated with the resource being accessed.

One of the main reasons to set up conditional access policies is to protect against unauthorized access to sensitive information. For example, an organization may only want to allow access to certain resources from specific locations or devices or require multi-factor authentication for access to high-risk resources. By implementing these types of policies, organizations can reduce the risk of data breaches and other security incidents.

Another reason to set up conditional access policies is to ensure compliance with regulatory requirements. Many industries have specific regulations in place that require organizations to implement certain security controls, such as encryption or multi-factor authentication. By setting up conditional access policies, organizations can ensure that they are in compliance with these regulations and avoid potential fines or penalties.

Another benefit of conditional access policies is that it can help organizations to maintain productivity and prevent disruptions. For example, an organization may want to prevent access to certain resources from personal devices, which can help to reduce the risk of data breaches caused by lost or stolen devices. Additionally, conditional access policies can be used to prevent users from accessing resources from untrusted locations, which can help to reduce the risk of phishing and other types of attacks.

Typically, I create each of these policies as a separate conditional access policy. Sure you could combine a couple of them into one policy but then you lose the granularity. For example, the first policy is blocking certain countries. So maybe you create a policy that only allows logins from certain countries, while only using certain devices and the login must be from a compliant device. Then, one of your users is leaving the country so you need to exclude them from the certain countries list. If you have everything in a single policy you'll need to allow that user to login from anywhere, AND the user won't need a compliant device. Wouldn't it be safer to continue to require the user to use a compliant device and allow them to log in from any country?

How to deploy conditional access policies

Lastly, I always deploy conditional access policies in batches. For example, I'll start with a test account and verify access. Then I'll deploy it to a couple of IT users to verify access. Then, depending on the size of the company I'll deploy the conditional access policy to a department or an office. Lastly, I'll deploy the conditional access policy to everyone. This batched deployment helps find errors and issues without disrupting the entire organization. Lastly, I typically add a break glass account. A break glass account is an exception to each conditional access policy. That way, if Microsoft or one of your admins ever screws up a conditional access policy you can still get in and disable the conditional access policy.

1. Block login except from certain countries

With any cloud, it's accessible from anywhere at any time. But does your Microsoft 365 tenant really need to be accessible from anywhere? A lot of malicious actors are coming from certain countries where you may not even have any employees. For example, the number one hotspot for hackers is China. Do you have any employees logging in from China? No, then create a conditional access policy to block those logins.

By limiting login attempts to specific geographic locations, organizations can reduce the risk of unauthorized access to sensitive information and systems from potentially malicious actors located in other regions. Additionally, this policy can also help to comply with local laws and regulations related to data protection and privacy.

This policy is only effective if you aren't a global organization. If you have employees on every continent you'll either need to break down the policy so users in the North America group can only log in from North America or skip this policy.

To create this conditional access policy you'll need to first create a named location. Then you can create a conditional access policy.

How to create a named location

There are two ways to create the named location and conditional access policy. Using an allow list or block list. An allow list is "I want to only allow logins from these countries". A block list is "I want to allow login from anywhere except these locations". In the following guide, I'll be creating an allow list to only allow logins from the U.S.A. and the United Kingdom.

Create a named location in Microsoft 365
  1. Go to Microsoft Entra admin center > Protect & secure > Conditional Access > Named locations. Click Countries location.
  2. Name the location "Allowed Countries". Check Include unknown countries/regions. Click United States and United Kingdom.
  3. Click Create.

Create a conditional access policy to block log-ins from certain countries

Create a conditional access policy to block country log ins
  1. Go to Microsoft Entra admin center > Protect & secure > Conditional Access > Policies > New policy.
  2. Name the policy "Allowed Countries"
  3. Click Users > All users. Add any exceptions you may need.
  4. Click No cloud apps, actions, or authentication contexts selected > All cloud apps.
  5. Click 0 conditions selected > Not configured (under Locations) > Set Configure to Yes > Any location (under Include).
  6. Click Exclude > None (under Select) > Check Allowed Countries and Multifactor authentication trusted IPs. Click Select.
  7. Click 0 controls selected (under Grant) > Block access > Select > On > Create.

2. Block unused device operating systems

By only allowing devices with supported operating systems to access corporate resources, organizations can reduce the risk of hackers accessing your Microsoft 365 environment. For example, does anyone use Linux? What about Macs? Maybe you give everyone an Android device so there's no need to allow iPhones.

Additionally, this policy can also help to prevent employees from using personal devices that may not meet the organization's security standards, which can also be a compliance concern.

This policy is only effective if you know certain operating systems shouldn't be in your organization. If you have some users on Windows, Mac, Linux, Android, and iOS then this policy is ineffective and can be skipped.

Block devices from signing into Microsoft 365
  1. Go to Microsoft Entra admin center > Protect & secure > Conditional Access > Policies > New policy.
  2. Name the policy "Blocked Devices"
  3. Click Users > All users. Add any exceptions you may need.
  4. Click No cloud apps, actions, or authentication contexts selected > All cloud apps.
  5. Click 0 conditions selected > Not configured (under Device platforms) > Set Configure to Yes > Any device.
  6. Click Exclude > click any operating systems that should be able to connect to your Microsoft 365 tenant. Click Done.
  7. Click 0 controls selected (under Grant) > Block access > Select > On > Create.

3. Require compliant devices

A Microsoft 365 compliance policy is a set of rules and configurations that an organization can use to ensure compliance with regulatory standards and industry best practices within the Microsoft 365 ecosystem. These policies can be implemented through the Microsoft Endpoint Manager admin center and can be used to manage and protect sensitive data, prevent data breaches, and meet regulatory requirements for data retention, eDiscovery, and more.

Microsoft 365 compliance policies can include controls such as requiring device encryption, a device passcode, certain update levels, and a Microsoft Defender for Endpoint risk score to name a few of the options.

By implementing Microsoft 365 compliance policies, organizations can ensure that their data is only accessed on secure and protected devices.

I won't go into details about how to set up a compliance policy because it's already covered but below is how to set up the conditional access policy to require a compliant device.

If your organization doesn't require all your devices to be registered in Intune or doesn't have any compliance policies this policy should be skipped.

Require compliant device to connect to Microsoft 365
  1. Go to Microsoft Entra admin center > Protect & secure > Conditional Access > Policies > New policy.
  2. Name the policy "Require Compliant devices"
  3. Click Users > All users. Add any exceptions you may need.
  4. Click No cloud apps, actions, or authentication contexts selected > All cloud apps.
  5. Optional: If you're still deploying compliance policies you may want to target specific operating systems at first.
  6. Click 0 control selected (under Grant) > Grant access > Require device to be marked as compliant > Select > On > Create.

4. Require Hybrid Azure AD joined device

"Require Hybrid Azure AD joined device" is a condition that can be set in a conditional access policy to ensure that only devices that are joined to both an on-premises Active Directory (AD) and Azure AD are able to access corporate resources. This condition can be used to ensure that all Windows computers are domain-joined computers.

When a device is Hybrid Azure AD joined, it means that the device is connected to both the on-premises AD and Azure AD, allowing for a more seamless and secure experience for the user. The device is also registered with Azure AD, and this allows the organization to manage and secure the device using Azure AD and other Microsoft cloud services.

Since users won't be able to bring their own computers some organizations opt not to put this policy in place. But, if you're assigning every user a corporate computer that's joined to your on-premises domain and you don't allow users to use their own personal computers then you should implement this policy.

Lastly, you'll need to sync your on-premises AD devices to Microsoft 365.

Require hybrid joined devices

  1. Go to Microsoft Entra admin center > Protect & secure > Conditional Access > Policies > New policy.
  2. Name the policy "Require hybrid devices"
  3. Click Users > All users. Add any exceptions you may need.
  4. Click No cloud apps, actions, or authentication contexts selected > All cloud apps.
  5. Click 0 conditions selected > Not configured (under Device platforms) > Set Configure to Yes > Select device platforms > Windows > Done
  6. Click 0 controls selected (under Grant) > Grant access > Require Hybrid Azure AD joined device > Select.
  7. Click On > Create.

5. Require an app protection policy

An app protection policy is a set of rules and configurations that an organization can use to secure and manage mobile apps on employee-owned devices. These policies can be implemented through mobile device management (MDM) or mobile application management (MAM) software and can restrict access to sensitive data, prevent data leakage, and ensure compliance with security and regulatory standards.

App protection policies can include controls such as requiring a passcode to access the app, encrypting data at rest and in transit, and limiting the ability to share or print data. They can also include controls such as controlling access to the app based on device, location, or network and controlling the app's ability to access the device's camera, microphone, and other resources.

By implementing app protection policies, organizations can ensure that sensitive data remains secure and protected, even if an employee's device is lost or stolen. It also allows the organization to have more control over the data and how it's used, which can be an important consideration in regulated industries.

By adding a conditional access policy requirement you can lock out any other types of apps. For example, if you want everyone on Android devices to be using Microsoft Outlook to access your organization's email environment, you can create an app protection policy for Microsoft Outlook on Android and not create an app protection policy for any other apps.

Before creating the conditional access policy you'll need to join your devices to intune and create an app protection policy in Endpoint manager admin center. Create an app protection policy to allow Microsoft Outlook on Android devices.

How to create a conditional access policy to require an app protection policy
  1. Go to Microsoft Entra admin center > Protect & secure > Conditional Access > Policies > New policy.
  2. Name the policy "Require Outlook on Android"
  3. Click Users > All users. Add any exceptions you may need.
  4. Click No cloud apps, actions, or authentication contexts selected > Select apps > None > search for Exchange > Office 365 Exchange Online > Select.
  5. Not configured (under Device platforms) > Set Configure to Yes > Select device platforms > Android > Done.
  6. Click 0 controls selected (under Grant) > Grant access > Require app protection policy > Select. Set Enable policy to On > Create.

6. Block high-user risk

The Microsoft 365 User risk level is a feature that helps to determine the risk of a user account in Microsoft 365. It uses Azure AD Identity Protection, which analyses multiple signals including IP address, device state, and suspicious activity, to determine the risk level of a user account.

The Microsoft 365 User risk level is divided into three categories:

  • Low risk: User accounts that are determined to be low risk are typically considered to be legitimate.
  • Medium risk: User accounts that are determined to be medium risk may be legitimate but are also more likely to be compromised or targeted by a malicious actor. Some cybersecurity experts recommend requiring additional security measures on medium risk. I typically don't.
  • High risk: User accounts that are determined to be high risk are considered to be compromised and should be blocked.

By using the Microsoft 365 User risk level feature, organizations can detect and respond to suspicious account activity more effectively, helping to prevent unauthorized access to sensitive information and systems. This is an important security feature that can help to reduce the risk of data breaches and comply with regulatory requirements.

You can set up the user risk level in Microsoft Entra > Protect & secure > Identity Protection > User risk policy but conditional access policies allow you to be more granular. For example, with a conditional access policy, you can exclude your office locations or set it only to certain cloud apps or set it to require the device be marked as compliant.

Block high user risk in Microsoft 365
  1. Go to Microsoft Entra admin center > Protect & secure > Conditional Access > Policies > New policy.
  2. Name the policy "Block high user risk"
  3. Click Users > All users. Add any exceptions you may need.
  4. Click No cloud apps, actions, or authentication contexts selected > All cloud apps.
  5. Click 0 conditions selects > Not configured (under User risk) > Set Configure to Yes > High > Done
  6. Click 0 controls selected (under Grant) > Block access > Select. Click On (under Enable policy) > Create.

7. Block high sign-in risk

The Microsoft 365 sign-in risk level is a feature that helps to determine the risk of a sign-in attempt in Azure Active Directory (Azure AD) and Microsoft 365. It uses Azure AD Identity Protection, which analyses multiple signals including IP address, device state, and suspicious activity, to determine the risk level of a sign-in attempt.

The Microsoft 365 sign-in risk level is divided into three categories:

  • Low risk: Sign-in attempts that are determined to be low risk are typically considered to be legitimate and are allowed to proceed.
  • Medium risk: Sign-in attempts that are determined to be medium risk may be legitimate but are also likely to be an attempt by a malicious actor. Some cybersecurity experts recommend requiring additional security measures on medium risk. I typically don't.
  • High risk: Sign-in attempts that are determined to be high risk are considered to be malicious and are blocked.

By using the Microsoft 365 sign-in risk level feature, organizations can detect and respond to suspicious sign-in attempts more effectively, helping to prevent unauthorized access to sensitive information and systems. This is an important security feature that can help to reduce the risk of data breaches and comply with regulatory requirements.

Block high sign in risk from accessing Microsoft 365
  1. Go to Microsoft Entra admin center > Protect & secure > Conditional Access > Policies > New policy.
  2. Name the policy "Block High Sign In Risk"
  3. Click Users > All users. Add any exceptions you may need.
  4. Click No cloud apps, actions, or authentication contexts selected > All cloud apps.
  5. Click 0 controls selected (under Grant) > Block access > Select. Click On (under Enable policy) > Create.

8. Require MFA

Requiring multi-factor authentication (MFA) to log in to Microsoft 365 is a security measure that can help to prevent unauthorized access to sensitive information and systems. MFA adds an additional layer of security to the login process by requiring users to provide two or more forms of authentication, such as a password and a security code sent to a mobile device, to access their account. Enough said about MFA. Let's jump to it.

Require MFA using conditional access policy
  1. Go to Microsoft Entra admin center > Protect & secure > Conditional Access > Policies > New policy.
  2. Name the policy "Require MFA"
  3. Click Users > All users. Add any exceptions you may need.
  4. Click No cloud apps, actions, or authentication contexts selected > All cloud apps.
  5. Click 0 controls selected (under Grant) > Grant access > Check Require multifactor authentication > Select. Click On (under Enable policy) > Create.

9. Block basic/legacy authentication

Blocking legacy authentication in Microsoft 365 is a security measure that can help to prevent unauthorized access to sensitive information and systems. Legacy authentications are older methods of authenticating users that typically send the user's credentials (username and password) in plaintext over the internet.

Legacy authentication is also used for protocols like IMAP, and POP which malicious hackers love to use once they gain the credentials to one of your accounts.

Block legacy authentication in Microsoft 365
  1. Go to Microsoft Entra admin center > Protect & secure > Conditional Access > Policies > New policy.
  2. Name the policy "Block Legacy Authentication"
  3. Click Users > All users. Add any exceptions you may need.
  4. Click 0 conditions selected > Not configured (under Client apps) > Set Configure to Yes > Uncheck everything under Modern authentication clients. Check everything under Legacy authentication clients > Done
  5. Click 0 controls selected (under Grant) > Block access > Select > Set Enable policy to On > Create.
Did you like the site?